Skip to content

v6.1.0
Compare
Choose a tag to compare
@JoelSpeed JoelSpeed released this 27 Aug 14:19
· 735 commits to master since this release
v6.1.0
37026b6
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release Highlights

  • Redis session stores now support authenticated connections
  • Error logging can now be separated from info logging by directing error logs to stderr
  • Added --session-cookie-minimal flag which helps prevent large session cookies
  • Improvements to force-https behaviour
  • Allow requests to skip authentication based on their source IP

Important Notes

  • #632 There is backwards compatibility to sessions from v5
    • Any unencrypted sessions from before v5 that only contained a Username & Email will trigger a reauthentication

Breaking Changes

N/A

Changes since v6.0.0

  • #742 Only log no cookie match if cookie domains specified (@JoelSpeed)
  • #562 Create generic Authorization Header constructor (@JoelSpeed)
  • #715 Ensure session times are not nil before printing them (@JoelSpeed)
  • #714 Support passwords with Redis session stores (@NickMeves)
  • #719 Add Gosec fixes to areas that are intermittently flagged on PRs (@NickMeves)
  • #718 Allow Logging to stdout with separate Error Log Channel
  • #690 Address GoSec security findings & remediate (@NickMeves)
  • #689 Fix finicky logging_handler_test from time drift (@NickMeves)
  • #700 Allow OIDC Bearer auth IDTokens to have empty email claim & profile URL (@NickMeves)
  • #699 Align persistence ginkgo tests with conventions (@NickMeves)
  • #696 Preserve query when building redirect
  • #561 Refactor provider URLs to package level vars (@JoelSpeed)
  • #682 Refactor persistent session store session ticket management (@NickMeves)
  • #688 Refactor session loading to make use of middleware pattern (@JoelSpeed)
  • #593 Integrate upstream package with OAuth2 Proxy (@JoelSpeed)
  • #687 Refactor HTPasswd Validator (@JoelSpeed)
  • #624 Allow stripping authentication headers from whitelisted requests with --skip-auth-strip-headers (@NickMeves)
  • #673 Add --session-cookie-minimal option to create session cookies with no tokens (@NickMeves)
  • #632 Reduce session size by encoding with MessagePack and using LZ4 compression (@NickMeves)
  • #675 Fix required ruby version and deprecated option for building docs (@mkontani)
  • #669 Reduce docker context to improve build times (@JoelSpeed)
  • #668 Use req.Host in --force-https when req.URL.Host is empty (@zucaritask)
  • #660 Use builder pattern to simplify requests to external endpoints (@JoelSpeed)
  • #591 Introduce upstream package with new reverse proxy implementation (@JoelSpeed)
  • #576 Separate Cookie validation out of main options validation (@JoelSpeed)
  • #656 Split long session cookies more precisely (@NickMeves)
  • #619 Improve Redirect to HTTPs behaviour (@JoelSpeed)
  • #654 Close client connections after each redis test (@JoelSpeed)
  • #542 Move SessionStore tests to independent package (@JoelSpeed)
  • #577 Move Cipher and Session Store initialisation out of Validation (@JoelSpeed)
  • #635 Support specifying alternative provider TLS trust source(s) (@k-wall)
  • #649 Resolve an issue where an empty healthcheck URL and ping-user-agent returns the healthcheck response (@jordancrawfordnz)
  • #662 Do not add Cache-Control header to response from auth only endpoint (@johejo)
  • #552 Implements --trusted-ip option to allow clients behind specified IPs or CIDR ranges to bypass authentication (@Izzette)
  • #733 dist.sh: remove go version from asset links (@syscll)
Assets 13